Czech Republic Confronts China Over Major Cyber Espionage Campaign: APT31's Three-Year Assault on Prague's Foreign Ministry

Bottom Line Up Front: The Czech Republic has summoned China's ambassador over a sophisticated three-year cyber espionage campaign that targeted the Czech Foreign Ministry's unclassified communications network, marking the latest escalation in a global pattern of Chinese state-sponsored cyber attacks attributed to the notorious APT31 group.

The Diplomatic Confrontation

On Wednesday, May 28, 2025, the Czech Republic took the unprecedented step of officially confronting China over what it termed "a malicious cyber campaign" targeting a network used for unclassified communication at its Foreign Affairs ministry. Foreign Minister Jan Lipavský personally summoned the Chinese ambassador to Prague, delivering a stern diplomatic message that "such activities have serious impacts on mutual relations".

The confrontation represents more than a bilateral diplomatic spat—it signals a broader hardening of European attitudes toward Chinese cyber aggression and marks a significant moment in the ongoing digital cold war between democratic nations and authoritarian regimes.

Statement by the Government of the Czech Republic

Statement by the Government of the Czech Republic on the Cyber Attack from the People´s Republic of China 

Ministry of Foreign Affairs of the Czech Republic

The Technical Details of the Attack

The attacks started during the country's 2022 EU presidency and were perpetrated by the cyber espionage group APT31, which Czech officials have "high degree of certainty" was responsible for the breach. The timing is particularly significant—targeting the Czech Republic during its EU presidency would have given attackers potential access to sensitive diplomatic communications and insights into European Union decision-making processes.

The foreign ministry said in a statement the attack started in 2022 and targeted "one of the unclassified networks" of the ministry, though officials have not disclosed the specific information that may have been compromised. The Czech government has since implemented a new communications system to address the vulnerabilities exploited in the attack.

Understanding APT31: China's Elite Cyber Unit

Advanced Persistent Threat 31 (APT31), also known as Zirconium, Judgment Panda, and Violet Typhoon, represents one of China's most sophisticated state-sponsored hacking groups. This group was allegedly run by China's Ministry of State Security and targeted millions of people, mostly in the U.S. and Britain, for more than a decade including officials, lawmakers, activists, academics and journalists, and firms ranging from defence contractors to a U.S. smartphone maker.

The APT31 Group was part of a cyberespionage program run by the MSS's Hubei State Security Department, located in the city of Wuhan. The group operates through a front company, Wuhan Xiaoruizhi Science and Technology Company (Wuhan XRZ), from at least 2010 until January 2024, demonstrating the sophisticated infrastructure China has developed to conduct cyber espionage operations.

The U.S., EU, and NATO are rallying behind the Czech Republic, which says a hacking group associated with China’s government attacked its critical infrastructure

The United States, NATO, and the European Union also condemned the attack and expressed solidarity with the Czechs.

FortuneKarel Janicek,The Associated Press

APT31's Global Operations

The scope of APT31's activities extends far beyond the Czech Republic. The defendants and others in the APT31 Group targeted thousands of U.S. and foreign individuals and companies. Some of this activity resulted in successful compromises of the targets' networks, email accounts, cloud storage accounts, and telephone call records, with some surveillance of compromised email accounts lasting many years.

The group was first publicly identified in 2016 and is believed to have operated since 2010, but its most devastating attack came in 2021, when APT 31 and another state-backed group took advantage of a flaw in Microsoft's email server system, Exchange, to steal personal data. Around 250,000 email servers were affected by the hack, including an estimated 7,000 in the UK.

The group's tactics are particularly insidious. The more than 10,000 malicious emails that the defendants and others in the APT31 Group sent to these targets often appeared to be from prominent news outlets or journalists, demonstrating their sophisticated social engineering capabilities.

International Response and Condemnation

The Czech accusations have triggered a coordinated international response, highlighting the collective concern among democratic nations about Chinese cyber activities.

NATO's Position

NATO issued a strong statement expressing solidarity with the Czech Republic. "We observe with increasing concern the growing pattern of malicious cyber activities stemming from the People's Republic of China," NATO said, indicating that the alliance views these attacks as part of a broader strategic threat rather than isolated incidents.

European Union's Stance

EU foreign policy chief Kaja Kallas condemned the attack in unequivocal terms. "This attack is an unacceptable breach of international norms," Kaja Kallas, the EU's foreign policy chief, said. "The EU will not tolerate hostile cyber actions".

EU member states have increasingly been the target of cyber attacks from China in recent years and China should do more to prevent them, the European Union said on Wednesday. Kallas emphasized that "We call upon all states, including China, to refrain from such behaviour. States should not allow their territory to be used for malicious cyber activities".

Importantly, Ms Kallas said the EU was ready to take further action if needed to prevent, deter or respond to malicious behaviour in cyberspace, suggesting that the bloc is prepared to escalate its response to Chinese cyber aggression.

China's Response and Denial

The Chinese Embassy dismissed the Czech accusations as "groundless." It said China fights "all forms of cyber attacks and does not support, promote or tolerate hacker attacks". This response follows China's standard playbook of categorical denial when confronted with evidence of state-sponsored cyber activities.

China's embassy in Prague called on the Czech side to end its "microphone diplomacy", attempting to frame the Czech government's public attribution as diplomatic grandstanding rather than a legitimate security concern.

Historical Context of Czech-China Cyber Tensions

This is not the first time the Czech Republic has been targeted by sophisticated cyber attacks. In a separated cyberattack in 2017, the email account of then Czech Foreign Minister Lubomír Zaorálek and the accounts of dozens of ministry officials were successfully hacked. Officials said the attack was sophisticated, and experts believed it was done by a foreign state, which was not named then.

The pattern suggests sustained interest from foreign intelligence services in Czech diplomatic communications, likely driven by the country's strategic position within NATO and the EU, as well as its increasingly assertive stance on issues affecting Chinese interests.

Czech-Taiwan Relations as a Factor

Prague has recently angered Beijing by fostering close ties with Taiwan as high-profile Czech delegations, including the parliament speakers, have visited the island while Taiwanese officials came to Prague several times. These diplomatic initiatives directly challenge China's "One China" policy and may have motivated increased surveillance of Czech government communications.

China is trying to keep Taipei isolated on the world stage and prevents any sign of international legitimacy for the island. It sees such visits as an infringement of the one-China policy which Prague officially pursues, just like the rest of the EU.

The Broader Cyber Threat Landscape

The Czech incident represents part of a broader escalation in state-sponsored cyber activities targeting democratic institutions worldwide. The Czech Security Information Office (BIS) singled out China as a threat to security in its 2024 annual report, indicating that Czech intelligence services have been tracking Chinese activities for some time.

US Legal Actions Against APT31

The international community has not limited its response to diplomatic protests. The United States and Britain filed charges and imposed sanctions on a company and individuals tied to a Chinese state-backed hacking group named APT31. U.S. authorities have offered rewards of up to $10 million for information on the hackers, demonstrating the seriousness with which Western governments view these threats.

An indictment was unsealed today charging seven nationals of the People's Republic of China (PRC) with conspiracy to commit computer intrusions and conspiracy to commit wire fraud for their involvement in a PRC-based hacking group that spent approximately 14 years targeting U.S. and foreign critics, businesses and political officials.

Implications for International Cybersecurity

The Czech Republic's decision to publicly attribute the attack and summon the Chinese ambassador represents a significant escalation in how democratic nations are responding to state-sponsored cyber threats. This approach reflects several important trends:

Attribution as a Policy Tool

By publicly naming APT31 and China's Ministry of State Security as responsible for the attacks, the Czech Republic is contributing to a broader Western strategy of "naming and shaming" state sponsors of cyber attacks. This approach aims to impose political and diplomatic costs on countries that engage in cyber espionage.

Collective Defense Mechanisms

The coordinated response from NATO and the EU demonstrates the growing effectiveness of collective defense mechanisms in cyberspace. Rather than treating cyber attacks as purely bilateral issues, democratic allies are increasingly responding as a bloc to impose greater costs on attackers.

Escalating Consequences

Ms Kallas said the EU was ready to take further action if needed to prevent, deter or respond to malicious behaviour in cyberspace, suggesting that the current diplomatic response may be only the beginning of a more comprehensive strategy to counter Chinese cyber activities.

Looking Forward: The Future of Cyber Deterrence

The Czech Republic's confrontation with China over APT31's activities marks a potential turning point in how democratic nations respond to state-sponsored cyber attacks. The incident demonstrates several key principles that are likely to shape future cyber deterrence strategies:

Collective Attribution: The coordinated response from the Czech Republic, NATO, and the EU shows that attribution of cyber attacks is becoming a multilateral effort rather than a unilateral decision.

Public Transparency: By openly discussing the technical details of the attack and the evidence linking it to Chinese state actors, the Czech government is contributing to a broader strategy of transparency designed to impose reputational costs on attackers.

Escalatory Responses: The warning from EU officials about potential further action suggests that the international community is prepared to move beyond diplomatic protests to more concrete deterrent measures.

The Czech Republic's bold stance against Chinese cyber aggression may serve as a template for how smaller nations can effectively respond to sophisticated state-sponsored threats by leveraging collective defense mechanisms and international solidarity. As cyber attacks continue to evolve as tools of statecraft, the international community's response to the APT31 campaign will likely influence how future incidents are handled and deterred.

The message from Prague is clear: state-sponsored cyber attacks will no longer be met with silence or purely private diplomatic protests. Instead, they will be met with public attribution, international coordination, and escalating consequences—marking a new phase in the ongoing struggle to establish norms and deterrence in cyberspace.